Bugtraq mailing list archives
Re: HTB22905: Path disclosure in Wordpress
From: Christian Sciberras <uuf6429 () gmail com>
Date: Tue, 29 Mar 2011 17:42:27 +0200
Ridiculous! I've been talking about this for some time, the actual list of vulnerable files follows: wp-admin\admin-functions.php wp-admin\includes\admin.php wp-admin\includes\class-ftp-pure.php wp-admin\includes\class-ftp-sockets.php wp-admin\includes\class-wp-filesystem-direct.php wp-admin\includes\class-wp-filesystem-ftpext.php wp-admin\includes\class-wp-filesystem-ftpsockets.php wp-admin\includes\class-wp-filesystem-ssh2.php wp-admin\includes\comment.php wp-admin\includes\continents-cities.php wp-admin\includes\file.php wp-admin\includes\media.php wp-admin\includes\misc.php wp-admin\includes\ms.php wp-admin\includes\nav-menu.php wp-admin\includes\plugin-install.php wp-admin\includes\plugin.php wp-admin\includes\schema.php wp-admin\includes\template.php wp-admin\includes\theme-install.php wp-admin\includes\update.php wp-admin\includes\upgrade.php wp-admin\includes\user.php wp-admin\maint\repair.php wp-admin\menu-header.php wp-admin\menu.php wp-admin\options-head.php wp-admin\upgrade-functions.php wp-config.php wp-content\themes\twentyten\404.php wp-content\themes\twentyten\archive.php wp-content\themes\twentyten\attachment.php wp-content\themes\twentyten\author.php wp-content\themes\twentyten\category.php wp-content\themes\twentyten\comments.php wp-content\themes\twentyten\footer.php wp-content\themes\twentyten\functions.php wp-content\themes\twentyten\header.php wp-content\themes\twentyten\loop.php wp-content\themes\twentyten\onecolumn-page.php wp-content\themes\twentyten\page.php wp-content\themes\twentyten\search.php wp-content\themes\twentyten\sidebar-footer.php wp-content\themes\twentyten\sidebar.php wp-content\themes\twentyten\single.php wp-content\themes\twentyten\tag.php wp-includes\Text\Diff\Engine\native.php wp-includes\Text\Diff\Engine\string.php wp-includes\Text\Diff\Engine\xdiff.php wp-includes\Text\Diff\Renderer\inline.php wp-includes\Text\Diff\Renderer.php wp-includes\Text\Diff.php wp-includes\cache.php wp-includes\canonical.php wp-includes\class-feed.php wp-includes\class-simplepie.php wp-includes\class-snoopy.php wp-includes\class.wp-scripts.php wp-includes\class.wp-styles.php wp-includes\classes.php wp-includes\comment-template.php wp-includes\default-embeds.php wp-includes\default-filters.php wp-includes\default-widgets.php wp-includes\feed-atom-comments.php wp-includes\feed-atom.php wp-includes\feed-rdf.php wp-includes\feed-rss.php wp-includes\feed-rss2-comments.php wp-includes\feed-rss2.php wp-includes\general-template.php wp-includes\js\tinymce\langs\wp-langs.php wp-includes\js\tinymce\plugins\spellchecker\classes\EnchantSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\PSpell.php wp-includes\js\tinymce\plugins\spellchecker\classes\PSpellShell.php wp-includes\js\tinymce\plugins\spellchecker\config.php wp-includes\js\tinymce\wp-mce-help.php wp-includes\kses.php wp-includes\l10n.php wp-includes\media.php wp-includes\ms-default-constants.php wp-includes\ms-default-filters.php wp-includes\ms-functions.php wp-includes\ms-settings.php wp-includes\nav-menu-template.php wp-includes\post.php wp-includes\query.php wp-includes\registration-functions.php wp-includes\rss-functions.php wp-includes\rss.php wp-includes\script-loader.php wp-includes\shortcodes.php wp-includes\taxonomy.php wp-includes\template-loader.php wp-includes\theme-compat\comments-popup.php wp-includes\theme-compat\comments.php wp-includes\theme-compat\footer.php wp-includes\theme-compat\header.php wp-includes\theme-compat\sidebar.php wp-includes\theme.php wp-includes\update.php wp-includes\user.php wp-includes\vars.php wp-includes\widgets.php wp-includes\wp-db.php wp-includes\wp-diff.php wp-settings.php That's some 30%-40% of all Wordpress files (depending on Wordpress install). I considered making this public but... http://codex.wordpress.org/Security_FAQ Read the 5th clause. Chris. On Tue, Mar 29, 2011 at 11:55 AM, <advisory () htbridge ch> wrote:
Vulnerability ID: HTB22905 Reference: http://www.htbridge.ch/advisory/path_disclosure_in_wordpress.html Product: Wordpress Vendor: http://wordpress.org/ ( http://wordpress.org/ ) Vulnerable Version: 3.1 Vendor Notification: 15 March 2011 Vulnerability Type: Path disclosure Status: Not Fixed Risk level: Low Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) Vulnerability Details: The vulnerability exists due to failure in the "/wp-includes/theme-compat/" & "/wp-content/themes/twentyten/" scripts, it's possible to generate an error that will reveal the full path of the script. A remote user can determine the full path to the web root directory and other potentially sensitive information. The following PoC is available: [code] /wp-includes/theme-compat/comments-popup.php /wp-includes/theme-compat/comments.php /wp-includes/theme-compat/footer.php /wp-includes/theme-compat/sidebar.php /wp-content/themes/twentyten/index.php /wp-content/themes/twentyten/404.php /wp-content/themes/twentyten/archive.php [/code]
Current thread:
- HTB22905: Path disclosure in Wordpress advisory (Mar 29)
- Re: HTB22905: Path disclosure in Wordpress Christian Sciberras (Mar 30)
- Re: HTB22905: Path disclosure in Wordpress Patrick Kelley (Mar 30)
- Message not available
- Re: HTB22905: Path disclosure in Wordpress Patrick Kelley (Mar 30)
- Re: HTB22905: Path disclosure in Wordpress Patrick Kelley (Mar 30)
- Re: HTB22905: Path disclosure in Wordpress Christian Sciberras (Mar 30)
- <Possible follow-ups>
- Re: Re: HTB22905: Path disclosure in Wordpress mike (Mar 31)